Because the network is a prime route for attacks on vulnerable systems, minimising connectivity with other systems makes it easier to protect XP machines. Consequently, disconnecting XP devices entirely from the network is the best option.

But if access to specific applications is what's delaying a migration away from XP, MacDonald suggests a kiosk model, with users going to a centrally located departmental machine.

If you can't disconnect XP systems completely, the next step would be to block internet connections and limit communications to specific internal systems through a network- or host-based firewall.

Even with restricted internal access, isolate XP devices from other endpoint systems using virtual LANs or firewalls.

Step 2: Restrict apps

Lock down XP machines so they can't execute arbitrary code. This measure can be achieved through dedicated software, a host-based intrusion-prevention system, or Microsoft's Group Policy object (GPO)-based software restriction policies.

MacDonald says with the end of XP support, it's essential to allow only known-good apps to run.

A mandatory measure for all users remaining on XP machines to cut risk because 90 percent of malware runs in the context of the logged-in user.

Step 4: Bar browsing and email

Since most attacks come via email and the web, it makes sense to eliminate these vectors on XP devices. An up-to-date server-based system can instead provide these capabilities — for example, a remote desktop service or hosted virtual desktop server.

Step 5: Update software

XP may be out of support but other software running on the machines may not be and should be kept updated to minimise weaknesses.

It's important that antivirus, firewalls, software distribution clients, and browsers should be up to date, along with Java, Adobe, Office and other common infrastructure apps.

Step 6: Disable ports and drives

By disabling USB ports and CD and DVD drives, you are removing another route for the introduction of arbitrary executable code.

A network or host-based intrusion-protection system can help protect XP machines. It's worth confirming with your network or host-based supplier that it will continue to research XP vulnerabilities and attacks, and provide filters and rules to block such attacks.

Step 8: Monitor XP, Microsoft and threats

As well as monitoring XP systems for signs of compromise, organisations still running the OS should keep a close eye on Microsoft.

Although the company won't disclose new vulnerabilities against XP to those who haven't paid for Custom Support, it may release information about critical vulnerabilities to, say, Windows Server 2003, which could affect XP.

It's also worth checking community chat boards and threat intelligence feeds, as independent sources of information.

Step 9: Plan for an XP breach

Those still running XP systems need to have a plan for isolating the machines in question in the event of an attack, as well as ways to restore them to a known-good state.

It's also important to understand the cause of the problem to prevent a recurrence, and to have a backup plan to move users to supported systems rapidly in a catastrophe.

Step 10: Study costs

A cost-benefit analysis could show whether the measures involved in staying with XP temporarily might actually end up outstripping a more rapid migration.